1 Position Paper Toll fraud prevention Lock thieves out of your phone system They re called hackers, phone phreaks, dump bin divers and shoulder surfers. They sell information between themselves and they cost businesses millions of dollars each year. They use weaknesses in corporate Call Server/PABX/Key System programming for personal gain at the (considerable) expense of the victims, and your system may be their next target. So what can you do to protect your system from toll fraud? Get educated in toll fraud tactics Think security and protect your money One of the best ways to help protect your company Call Server/PABX/ Key System (referred to as PBX in the remainder of the document) from toll fraud is to learn how hackers gain access to your system so that you can block their entry. These perpetrators can use several methods of hacking a PBX to reprogram it. across the world, someone pays. Free phone calls are theft from someone else. How do they do it? Logins and passwords on a maintenance modem and the PBX will restrict remote access to only authorized parties. However, leaving these off or set to well-known default values will leave the way open for hackers anywhere in the world to remotely access and reconfigure the PBX, modify security and dialing parameters, design a plan to dial in and out of your system and return when you aren t suspecting anything out of the ordinary. The toll fraud perpetrators are experienced in the technology of all PBXs and voic systems on the market. Don t let them get remote access to your system. Direct Inward System Access (DISA) is designed for offsite employees to connect to make business long distance calls as if they are inside the company s PBX, and have the calls billed directly to the company. DISA is usually used for after-hours long distance or international calls that can be made from home rather than staying back in the office. Password mechanisms for DISA allow secure operation, but leaving them off exposes the company to toll fraud by hackers who discover or know of the DISA dial-in number(s). Hackers Why do they do it? People like free things. A free phone call doesn t exist. Whether it s a hacked payphone or a cheap call to the home country via a series of PBXs and trunks
2 Communication Server Communication Server 1000 Business Communications Manager Family BCM50 BCM200 gaining access to your system s programming core can also set up a password liberated DISA number without you knowing it. If you don t need it, have DISA removed from your PBX. If DISA is installed, regularly check (daily) if DISA has been activated. Voic allows saving and remote retrieval of messages. Mailboxes also have a password to provide secure access. If a mailbox password is guessable and the system is not tightly programmed, a hacker might be able to reprogram the background database and operator number to obtain international access, to use when they want it, just by dialing 0. Transferring out of the mailbox means that the number can be re-used in fact, over and over until all the company s lines are in use. Stop hackers at the first stage by having secure mailbox passwords, change them regularly and delete unused mailboxes. Commencing right from a new installation, never allow default mailbox and administrator passwords to be retained in your system. What should owners do? Decide what you need from your system PBXs can restrict calls by numbers, time of day, country codes, etc. The owner must decide what suits their business and what procedures and policies need to be in place to keep the system secure. When key communications or administrator staff leave, does the system get checked? Stay vigilant, suspicious and keep records. Monitor your call costs and destinations Know what your calls are costing. The marketplace offers telephone accounting and control systems of varying complexity and cost. Simpler systems keep records and might calculate call costs. More complex systems control the PBX security and provide alerts with inbuilt, programmable toll fraud detection systems. A typical weekend toll fraud hit with 20 to 30 trunks being used can cost as much as an employee s yearly wage and being valid calls to your local carrier, the bills will be legally payable. Toll fraud is big business and it s organized. Businesses can go bankrupt on toll fraud bills. Know of irregularities well before the monthly phone bill arrives with any bad surprises. Ask your installer or service provider what steps to take if you suspect toll fraud. BCM400 Lock down the outgoing destinations PBXs have multiple, powerful measures to totally restrict calls to inside the local system that s totally secure. Most toll frauds are enabled via poor administration practices and badly programmed parameters, usually based on customer requests. BCM450 2
3 Call your installer or service provider and jointly review what numbers are allowed and barred in your system. Adopt the philosophy of initially barring all outside calls and only opening up to places that are requested or approved, and keep records. This approach allows all the new services being added by carriers to be automatically excluded until they are specifically allowed. Forwarding calls to mobiles can be barred unless allowed to specified numbers. Use a quality process where positive action is in place to review each request. Control physical security Determine how secure your PBX or computer switch room is. If anyone can walk in without being noticed or questioned, you may be the next victim of a more direct form of toll fraud attack. Provide escorts where necessary. Keep sensitive details of passwords, network diagrams and so on out of sight. Change codes and authorizations Delete employee authorization codes when they leave your company. If they bear any ill will, they may use or sell the important codes as a means of getting revenge. Secure the passwords of your own company and your clients. Document a plan of action Develop a formal action plan as a toll fraud counter-measures policy in your company. Have procedures worked out to know who to contact (the company, the installer, the carrier, the users) for emergencies and what short-term actions need to be taken. Work out what facilities can be cut in emergencies until security is restored. Periodic auditing It is prudent to have PBXs audited at regular intervals to check for security weak points and how well the programming suits the needs of the company. Investigate the features of newer releases with your supplier. Use toll fraud protection tools ensures that a high level of security is built into every Meridian, Communication Server 1000 (CS 1000), Business Communications Manager (BCM) and Norstar system. However, as a system user, it is your responsibility to maintain your system s security and implement as many of its safeguards as possible. Consider barring all calls and opening up only what is officially requested and approved via a change control process and change records. That way, new telephone company features don t slip under your guard; for example new operators connect services that if not barred, by default are allowed. Meridian, Communication Server 1000, Business Communications Manager and Norstar system software Your Meridian, CS 1000, BCM and Norstar system software is your first line of defense against toll fraud. Keeping your system up to date with the latest release of software and current patches reduces your risk of falling victim to fraud. Once your system is installed, you need to ensure that your company is using the appropriate protective features that are built into your PBX. For example, you can use the Call Detail Recording feature to output authorization codes as well as calling and called parties, and time and duration of calls. Including authorization codes allows you to review call records and detect toll fraud initiated from both inside or outside your company. Configuration settings carried forward following upgrades to systems should always be checked after upgrades to ensure they meet your business needs and prevent potential toll frauds. Meridian switches Meridian Option 61C/81C Meridian Option 11 3
4 Norstar family Norstar Compact ICS Norstar Modular ICS Protect remote access ports to your PBX by using the available security features. These require both user identification and an alphanumeric password. You can then enable the invalid login attempt threshold to restrict hackers attempts to guess passwords. Lock the port out for up to three hours and activate the audit trail to track who has been in your system and to see what they have accessed. Activate a Security Banner for PBX remote access ports to alert those attempting illegal access that they are trespassing. It may not stop their attempt, but it serves as a warning and legally eliminates the defense of ignorance. Hackers are impatient and won t spend their own money. Make it hard for them. Another way to limit toll fraud is to restrict Call Forward to internal numbers only and to limit the number of Call Forward digits. If Call Forward External is needed, call forwards can be to individually specified numbers, especially mobiles, so it s still a powerful but flexible form of restriction. 4 Direct Inward System Access (DISA) Your organization may permit employees to access long distance services using personal authorization codes even when they are on the road. At the same time, you need to keep those codes out of the hands of hackers and thieves. The first level of security you can establish for Direct Inward System Access (DISA) is a security code. Using the Meridian/CS 1000/BCM/ Norstar Security Code and path restriction features, you can require callers to enter a one- to eight-digit code to gain access to long-distance calling. The longer the code you require, the harder it will be for hackers to crack. Once callers gain system access with a DISA code, the system allows you to impose additional calling security measures. For example, you should require callers to enter a personal authorization code in addition to the security code to use outgoing lines. To help customers enforce security, DISA is a feature that is now available by request, rather than as a standard capability. If you have a system and want to disable DISA capabilities, contact your distributor or maintenance provider. You may also want to consider the use of Network Speed Call to limit where DISA users can call. Meridian Mail, Norstar Voic (NVM) and CallPilot Your voic system is another avenue for the perpetrators of toll fraud. However, you can minimize the risk of toll fraud by using features that control access to your PBX. Remember, with PBXs, you can restrict calls to a total lock-down and open them up to your very specific requirements. Force users to change their password on the first log-in to their mailbox and/ or add a prefix as well. Remove unused mailboxes to prevent fraudulent operations within your system. NEVER allow users to have passwords that are related to their extension number or mailbox number (forward, backwards, etc.), or simple keypad lines and diagonals. Minimize password re-use by defining how many unique passwords are required before reusing older ones, and minimize the number of days between password changes, forcing passwords to be changed periodically and frequently.
5 Businesses spend money and effort protecting their data systems and computer access, but neglect their phone systems, leaving them open to toll fraud. Three features that can assist you in establishing a voic security program at the mailbox level are a) Thru-Dial Restriction/Outbound Transfer Restriction, b) Password Change/Expiry and c) Invalid Log-in Attempts. Monitor your voic reports for suspicious activity. Remove Outbound Transfer from those CallPilot classes-of-service that don t require it. Enable Trivial Password prevention and checking in CallPilot. Use CallPilot s ability to set up Restriction Permission Lists (RPLs) to control out-calling. CallPilot s ability to monitor specific mailboxes/ip addresses via its Hacker Monitor feature should be set up to generate an alarm if suspicious activity is detected. The alarm, in turn, can be set up to trigger a remote notification, e.g., to contact the system administrator if a suspicious activity is detected during off-hours. With each new release of voic software, new security features are added. Keeping your voic software up to date also puts a lock on your system and gives you peace of mind. Configuration settings carried forward following upgrades should always be checked after upgrades to ensure they meet your business needs and prevent potential toll frauds. Interactive Voice Response and Auto-attendant systems in your system These sub-systems assist digit-based selection of facilities within the PBX. If they use thru-dialing/out-dialing, the destinations must be restricted to the intended parameters. All combinations of numbers that can be dialed in, especially unused numbers in a publicized menu, need to be checked for confirming the return to a known safe point in the designed system. Virtual ACD agents Non-physical numbers are sometimes used in control of ACD queues. These numbers need to be access controlled in the same manner as the normal, physical numbers. Checklist for protecting your PBX Deny unauthorized access. Thieves can access long distance facilities through your voic system. You can block thru dialing/out-dialing by ensuring access codes for external calling, special prefix codes and flexible feature codes are blocked. Secure DISA numbers. You should not publish DISA numbers. Require outside callers making incoming calls to a DISA line to input a security code and an authorization code (Meridian/CS 1000) or Class of Service (CoS) password (Norstar, BCM) with as many digits as your company s corporate culture will allow. Don t use employees extension, home phone or ID numbers as security codes, authorization codes or CoS passwords because hackers may be able to easily break these codes. Foil the dump bin diver. Don t throw out call detail records and system drawings. Dispose of these materials, including switch printouts and old documentation, as you would any proprietary material via shredders or secure disposal bins. Information like this will be paid for by criminal elements, so there are a lot of spies around inside and outside your company. Change codes frequently. Change the authorization and voic passwords, security codes and Class of Service/passwords as often as is appropriate for the user community. Delete codes of former employees. Change the passwords for PBXs and voic systems, including administration access from terminals regularly. Also, change system passwords when key personnel with password knowledge leave your organization. Maintain secure authorization codes. Treat authorization codes like credit card numbers. Don t allow employees to share authorization codes. Use as many digits in authorization codes as possible for your user community. Monitor calls. Most toll fraud is generated in a short time days to weeks, and usually after hours when detection is least likely. Monitor call detail records for suspicious calling patterns. Automatically output traffic reports that identify possible unauthorized access. Encourage employees to report strange language on voice messages and callers, especially outside normal business hours. 5
6 Restrict long distance and international calls. Long distance or international locations are the major destination for toll fraud calls. Restrict long distance, international and interstate calls if authorized users do not normally place calls to these locations. If users do place calls to long distance or international locations, allow only the area codes and country codes they require. Provide long distance or international calling capabilities only to users who require them and make sure you restrict voic agents from making long distance or international calls as well. For other systems, make appropriate restrictions on the dialing class of service tables. Start by barring ALL long distance and international numbers, then enable only those you need to dial. Add dialing toll restrictions to prevent specific area codes, telephone numbers and long distance international calls to be dialed. Use set restrictions with more restrictions to out-dial calls at night and on weekends. Consider time-of-day shutdowns that can be set up so that toll restrictions to lines and telephone sets will automatically come on after business hours (individual over-ride codes and Class of Service passwords can be issued as required). In addition to restricting long distance calls, pay-per-minute 9xx services should be restricted. Restrict Call Forward. Program your system so that extensions cannot forward calls to long distance numbers. Divert to mobiles only when they are known and are registered in the system, and restrict all others. Secure access codes and passwords. Don t allow employees to post access codes and passwords in plain view. Look under the terminal keyboards, etc. for the usual hiding places crooks will. Know who is in your switch room. Secure access to your switch room at all times. Use escorts and monitors if required. s Secure Trunk solution is a comprehensive set of tools and services that assists organizations in securing their Public Switched Telephone Network (PSTN) trunks across their entire organization, regardless of number, type, size and variety of PBX systems in their voice network. The Secure Trunk solution provides centralized control over all corporate TDM and VoIP traffic on a per-call basis. Restricted, wasteful and abusive calls including toll fraud are alerted on and blocked in real time, based on the call access control policies constructed and distributed network-wide, or across a select group of phones. Key benefits provided by the Secure Trunk solution include: Enable enterprise-wide voice network management Reduction of corporate telecom costs Secure voice network resources from toll fraud and other forms of abuse Ability to enforce policy by call type (voice, fax, modem) Promote employee compliance accountability and productivity Leverage telephony investments Enhance business operations Improve voice network service performance Migrate IP telephony Third-party protective packages are available that can be used to monitor calling patterns (e.g., Technical Information Management System or TIMS). But most importantly, audit your system and make sure you use the features you have to prevent unauthorized access to long distance services. A major multi-national bank previously exposed to toll fraud operations used toll fraud prevention/billing/ accounting systems and changed their international phone system security standards and procedures to address PBX security issues. Your attention to system security can help make the surprise phone bill something that will not occur to your enterprise. Lock thieves out of your phone system. Your Meridian, CS 1000, BCM and Norstar system software is your first line of defense against toll fraud. Keeping your system up to date with the latest release of software and current patches reduces your risk of falling victim to fraud. 6
7 The following table shows a non-exhaustive list of NTPs applicable to the current installed base of enterprise voice products. These documents can be used to help understand product configuration parameters and how to minimize security risks. Customers may request copies of these NTPs from their authorized reseller or download them from Note that the publication reference revision numbers may change as documents are updated over time; thus, customers should always work with the latest revisions for the appropriate product release. Product Publication reference Document title Communication Server NN rev 2.02 Telephony Services Access Control Management Communication Server NN rev 2.09 Security Management Fundamentals (UNIStim 3.0) Communication Server NN rev 2.12 Enterprise Common Manager Fundamentals Communication Server NN rev 1.06 Converging the Data Network with VoIP Fundamentals Communication Server NN rev 1.02 Access Control Management Reference Communication Server NN rev 1.46 Security Management Fundamentals Communication Server NN rev 1.06 Enterprise Common Manager Fundamentals Communication Server NN rev 1.05 Converging the Data Network with VoIP Fundamentals Communication Server rev 5.00 Installation and Configuration Communication Server rev System Security Management Communication Server rev 5.00 Element Manager System Administration Communication Server NN rev 1.04 Solution Integration Guide for Data Networks with Communication Server 1000 and Communication Server 1000 Applications Communication Server rev 3.00 System Management Communication Server rev 1.00 Installation and Configuration Communication Server rev 9.00 System Security Management Communication Server , rev 2.00 Element Manager System Administration Communication Server rev 2.00 System Management General Security, Meridian rev 7.00 XII System Security Management Communication Server 1000 NN Secure Unified Communications Whitepaper CallPilot 5.0 NN rev 1.02 Network Planning Guide CallPilot 5.0 NN rev 1.16 CallPilot Administrator Guide CallPilot 5.0 NN rev 1.03 CallPilot Preventive Maintenance Guide CallPilot rev 1.03 CallPilot Network Planning Guide CallPilot rev 1.18 CallPilot Administrator Guide CallPilot rev 30_11-04 CallPilot Network Planning Guide CallPilot rev 30_11-04 CallPilot Administrator Guide CallPilot rev 25_10-03 Network Planning Guide CallPilot rev 25_10-03 Networking Enhancements Guide CallPilot 2.02TR rev 202tr_10-03 Network Planning Guide CallPilot 2.02TR rev 202tr_10-03 Networking Enhancements Guide Remote Office Remote Office 9150 Installation and Administration guide Business Communications Manager 450 R1.0 Business Communications Manager 450 R1.0 CallPilot Business Communications Manager 50 R R3.0 CallPilot NN , Rev NN , Rev NN , Rev NN , Rev Configuration Telephony CallPilot Manager Set Up and Operation Guide BCM Networking Configuration Guide CallPilot Manager Set Up and Operation Guide continued 7
8 Product Publication reference Document title Release 4.0 Release 4.0 CallPilot Release 3.7 Release 3.7 CallPilot N , Rev BCM 4.0 Networking Configuration Guide N , Rev 03 CallPilot Manager Set Up and Operation Guide N , Rev 03 BCM200/400 Installation and Maintenance Guide (English) P , Rev 03 CallPilot Manager Set Up and Operation Guide Norstar Modular ICS Release 7.0 N , Rev 03.2 Modular ICS 7.0 Installer Guide (English): Norstar Compact ICS Release 7.0 N , Rev 03 Compact ICS 7.0 Installer Guide (English): Messaging 150 (Norstar: Messaging CallPilot 150) Release 3.1 Norstar: Messaging Voice Mail Release 4.0 N , Rev 04.1 CallPilot 100/150 Installation and Maintenance Guide (English) P , Rev 1.0 Norstar Voice Mail 4.0 Reference Guide NOTES: (1) BCM 2.5 FP1 to BCM 3.5 products are all end-of-life (EOL) and are no longer supported in the field. BCM 3.6 and BCM 3.7 are manufacture-discontinued (MD). (2) CallPilot 1.05, 1.06, 1.07, 2.0, 2.02, and 2.5 products are all end-of-life (EOL) and are no longer supported in the field. (3) Customers may request clarification and information of Norstar MD/EOL products and/or their support status from their authorized resellers. is a recognized leader in delivering communications capabilities that make the promise of Business Made Simple a reality for our customers. Our next-generation technologies, for both service provider and enterprise networks, support multimedia and business-critical applications. s technologies are designed to help eliminate today s barriers to efficiency, speed and performance by simplifying networks and connecting people to the information they need, when they need it. does business in more than 150 countries around the world. For more information, visit on the Web at For the latest news, visit For more information, contact your representative, or call NORTEL or from anywhere in North America., the logo, Business Made Simple, the Globemark, CallPilot, Meridian and Norstar are trademarks of Networks. All other trademarks are the property of their owners. Copyright 2009 Networks. All rights reserved. Information in this document is subject to change without notice. assumes no responsibility for any errors that may appear in this document. NN In the United States: 35 Davis Drive Research Triangle Park, NC USA In Canada: 195 The West Mall Toronto, Ontario M9C 5K1 Canada In Caribbean and Latin America: 1500 Concorde Terrace Sunrise, FL USA In Europe: Maidenhead Office Park, Westacott Way Maidenhead Berkshire SL6 3QH, UK In Asia: United Square 101 Thomson Road Singapore Phone: (65) BUSINESS MADE SIMPLE